Developing secure software is a management issue

Computerworld - When security vulnerabilities in a vendor's software are exploited, significant costs are faced by the vendor and its software users. Software with security vulnerabilities harms an organization's reputation with customers, partners and investors. It increases costs as companies are forced to repair unreliable applications, and it delays other development efforts as limited resources are assigned to address current software deficiencies.
With the increased scrutiny of internal processes and controls resulting from mandates such as the Sarbanes-Oxley Act, executives are demanding that IT improve the development process in order to create more secure and reliable software.
Fix a flawed development process
All software has bugs, and a large number of these bugs have security implications. It's not just buggy code that is an issue. Software behavior and coding practices that were considered safe at the time of writing may now be ripe for exploitation by malicious hackers.
The problem for software development organizations is that they must simultaneously reduce software vulnerabilities while keeping operational costs in check. Plus, any new development strategy is expected to be applicable across geographically distributed teams -- including offshore service providers.
Something has to change. Software quality, and specifically software security, must be improved, and the most effective means is to address the root causes of poor software -- the defects in the source code. But to improve software, the current flawed development process must be addressed.
Start by assessing the situation
Rather than throwing more money and resources into a flawed process, companies need a new plan of action. Before implementing new processes and investing in new tools, companies should consider these steps:
Ensure information flow: A smart software development process ensures timely and effective information sharing. This enhanced knowledge improves communication between management and the development teams, allows developers to work with solid and secure architecture and coding practices, provides visibility into an application's context and its health at any point in the development life cycle, and lets IT manage software assets like other business assets.
Know the goals: A key consideration for any software security initiative is whether the goal is to audit the current state of your software's security or to implement a change in current development practices. An audit is a one-time event, while an in-process deployment can improve the security of existing applications, as well as provide the necessary experience, tools and processes to extend the concept of secure development throughout the entire development organization.
Determine strategies for new and existing code: Attempting to retrofit secure coding practices into existing